The US Spends Billions on Cybersecurity — but No One Is Sure Exactly How Much

MOST POPULAR

In the wake of Russian meddling in the 2016 presidential election, massive breaches of IRS tax records, and the theft of more than four million employee files from the Office of Personnel Management, it’s small wonder the federal government has steadily beefed up its cybersecurity activities.

Between 2007 and 2016, federal spending on unclassified programs to combat malicious cyberattacks rose sharply, from $7.5 billion to $28 billion, a nearly four-fold increase, according to a new analysis by Taxpayers for Common Sense.

Last year, the Defense Department – the biggest U.S. player in cyber warfare -- spent at least $18.5 billion on efforts to foil cyber intruders, a nearly 30 percent increase over the previous year’s spending. The Department of Homeland Security spent $1.7 billion, for a nine percent increase, while the Department of Treasury spent $2.8 billion, a 42.7 percent increase over fiscal 2015.

The federal government’s cybersecurity role is highly complex, according to Taxpayers for Common Sense. It involves protecting federal information systems, determining the proper federal role in protecting non-federal systems like health care insurance companies and the entertainment industry, and presumably preparing for its own offensive cyber operations.

Yet as the new study indicates, there is no universally accepted definition of what cybersecurity actually means. Moreover, the public and even lawmakers don’t have a clue as to how much the government is actually spending overall on this vital activity.

The $28 billion annual figure cited in the TCS’s new on-line interactive analysis is based on a thorough combing of government budget and appropriations documents of unclassified cybersecurity spending for the past decade. But that figure is really only the tip of the iceberg.

Much of the additional cost is hidden away in classified “black” budgets that are off limits to the public and even some members of Congress. Some of those funds are blended into broad-based government technology programs and are difficult to tease out.

How much more is being spent on classified cybersecurity activity is anybody’s guess, but it is almost certain to run in the many billions of dollars.

Key members of Congress who write the annual spending bills were alarmed enough about all this invisible spending to lodge a protest in the fiscal 2017 omnibus appropriations bill. The spending measure fully funded the Pentagon’s base requirement of $6.7 billion for cyberspace activities, a nearly $1 billion increase over the prior year.

However, the appropriators complained in the spending document that while the Pentagon and the military services “provided some level of detail” on both unclassified and classified activities, “much of the funding is encompassed within larger programs and funding lines, which limits visibility and congressional oversight.”

Beginning next year, the Department of Defense chief information officer has been directed to take steps to provide “increased visibility and clarity” into the cyberspace activities funding requirements and the need for additional funding.

Obviously, spending on the government’s most sensitive cybersecurity activities should remain classified. That includes, for instance, the Pentagon’s effort to counteract enemy cyberattacks or launch retaliatory strikes against global adversaries. But that doesn’t mean that all of those costly activities should be shrouded in mystery.

Taxpayers for Common Sense hailed the congressional demand for more clarity from the Defense Department. But the group urged lawmakers to broaden that request to government agencies across the board.

Washington Editor and D.C. Bureau Chief Eric Pianin is a veteran journalist who has covered the federal government, congressional budget and tax issues, and national politics. He spent over 25 years at The Washington Post.